From 673a1e34141cc37fdec71192b4ef6590d8f92cba Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Thu, 11 Apr 2024 10:37:37 +0900 Subject: [PATCH] Fix CVE-2024-2357 Resolves: RHEL-28743 Signed-off-by: Daiki Ueno --- libreswan-4.12-ikev2-auth-delete-state.patch | 54 ++++++++++++++++++++ libreswan.spec | 6 ++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 libreswan-4.12-ikev2-auth-delete-state.patch diff --git a/libreswan-4.12-ikev2-auth-delete-state.patch b/libreswan-4.12-ikev2-auth-delete-state.patch new file mode 100644 index 0000000..c17b457 --- /dev/null +++ b/libreswan-4.12-ikev2-auth-delete-state.patch @@ -0,0 +1,54 @@ +From 2ec448884a7467743699803f8a36ee28d237666c Mon Sep 17 00:00:00 2001 +From: Andrew Cagney +Date: Wed, 28 Feb 2024 08:29:53 -0500 +Subject: [PATCH] ikev2: return STF_FATAL when initiator fails to emit AUTH + packet + +--- + programs/pluto/ikev2_ike_auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c +index 192eb1b3b6..a54a109699 100644 +--- a/programs/pluto/ikev2_ike_auth.c ++++ b/programs/pluto/ikev2_ike_auth.c +@@ -1267,7 +1267,7 @@ static stf_status process_v2_IKE_AUTH_request_auth_signature_continue(struct ike + /* now send AUTH payload */ + + if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, response.pbs)) { +- return STF_INTERNAL_ERROR; ++ return STF_FATAL; + } + ike->sa.st_v2_ike_intermediate.used = false; + +-- +2.44.0 + +From 16272f2475d25baab58fbed2af7c67cfb459137f Mon Sep 17 00:00:00 2001 +From: Andrew Cagney +Date: Thu, 29 Feb 2024 12:19:20 -0500 +Subject: [PATCH] ikev2: always return STF_FATAL if emitting AUTH fails + +Fix: + ikev2: return STF_FATAL when initiator fails to emit AUTH packet +which really fixed the responder. +--- + programs/pluto/ikev2_ike_auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c +index a54a109699..491053fb10 100644 +--- a/programs/pluto/ikev2_ike_auth.c ++++ b/programs/pluto/ikev2_ike_auth.c +@@ -397,7 +397,7 @@ stf_status initiate_v2_IKE_AUTH_request_signature_continue(struct ike_sa *ike, + /* send out the AUTH payload */ + + if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, request.pbs)) { +- return STF_INTERNAL_ERROR; ++ return STF_FATAL; + } + + if (LIN(POLICY_MOBIKE, ike->sa.st_connection->policy)) { +-- +2.44.0 + diff --git a/libreswan.spec b/libreswan.spec index 2dabbb4..8ce71c5 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -31,7 +31,7 @@ Name: libreswan Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec # version is generated in the release script Version: 4.12 -Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://libreswan.org/ Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz @@ -41,6 +41,7 @@ Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif Patch: libreswan-4.6-ikev1-policy-defaults-to-drop.patch +Patch: libreswan-4.12-ikev2-auth-delete-state.patch BuildRequires: audit-libs-devel BuildRequires: bison @@ -196,6 +197,9 @@ certutil -N -d sql:$tmpdir --empty-password %doc %{_mandir}/*/* %changelog +* Thu Apr 11 2024 Daiki Ueno - 4.12-2 +- Fix CVE-2024-2357 (RHEL-28743) + * Wed Aug 9 2023 Daiki Ueno - 4.12-1 - Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712 - Resolves: rhbz#2215956